You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
e2e Phase 6 (PostgreSQL parity), tests/e2e/pg_parity/test_02_pg_coordination_backends_1137.py: the two test_ac1_* tests ERROR at setup because the _enable_dependency_map fixture drives the Web-UI config front door (GET /admin/config) with an authenticated-but-unelevated session, which the server redirects (303 -> /login). The local _fetch_csrf helper calls raise_for_status() on that redirect and throws, aborting fixture setup.
Affected:
test_ac1_pg_dep_map_sentinel_conflict (ERROR at setup)
test_ac1_pg_release_then_accept_single_active_job (ERROR at setup)
Passing in the same file: test_ac2_* (do not call _enable_dependency_map, so never touch /admin/config) and all of test_01_pg_functional.py (including test_pg_login).
Error
httpx.HTTPStatusError: Redirect response '303 See Other' for url 'http://127.0.0.1:8901/admin/config'
Redirect location: '/login?redirect_to=/admin/config'
Raised from _enable_dependency_map -> form_csrf = _fetch_csrf(web, WEB_CONFIG) or login_csrf (WEB_CONFIG = /admin/config).
Root cause (proven, not hypothesized)
Login succeeds — the fixture's POST /login returns a redirect and the assertion assert "session" in web.cookies passes, so a session cookie IS established.
Cookie is transmitted — Phase 6 writes config.json with "host": "127.0.0.1" (e2e-automation.sh), and should_use_secure_cookies(config) returns False for 127.0.0.1/localhost/::1 (tests/unit/server/web/test_cookie_security.py). So the session cookie is NON-Secure and is sent over the plain-HTTP 127.0.0.1 connection. (The "Secure cookie not sent over HTTP" theory is therefore refuted.)
Secondary defect: the file-local _fetch_csrf (line ~277) calls page.raise_for_status(), so a 303 throws instead of returning "". This defeats the ... or login_csrf fallback the author wrote at the call site — the fallback can never run.
Why it surfaced now (NOT a regression)
This is the FIRST full-regression execution to reach Phase 6. On v11.27.0 the e2e run failed at Phase 3 (temporal log-audit gate, 10 WARNINGs) and halted before Phases 4-6. Fixing #1321 unblocked Phase 3, so Phases 4-5-6 ran for the first time and exposed this pre-existing Phase-6 fixture gap. It is unrelated to the v11.28.0 changes (#1321 temporal-query provider resolution, #1322 langfuse test) — neither touches /admin/config, sessions, CSRF, elevation, or PG coordination.
Fix Direction
Make _enable_dependency_map perform TOTP step-up elevation before hitting /admin/config (mirror whatever pattern other elevation-requiring e2e/web tests use; if the e2e admin has no MFA configured, provision TOTP in the fixture first via the setup flow). Independently, harden the local _fetch_csrf to not raise_for_status() on 3xx (return "" on redirect) so the intended or login_csrf fallback is actually reachable. Reproduce with ./e2e-automation.sh --phase 6.
Severity
priority-3. Pre-existing e2e test-fixture gap in Phase 6 PG-parity; blocks 2 of ~13 Phase-6 tests. No product impact (the elevation gate is working as designed; the test simply doesn't elevate).
Summary
e2e Phase 6 (PostgreSQL parity),
tests/e2e/pg_parity/test_02_pg_coordination_backends_1137.py: the twotest_ac1_*tests ERROR at setup because the_enable_dependency_mapfixture drives the Web-UI config front door (GET /admin/config) with an authenticated-but-unelevated session, which the server redirects (303 -> /login). The local_fetch_csrfhelper callsraise_for_status()on that redirect and throws, aborting fixture setup.Affected:
test_ac1_pg_dep_map_sentinel_conflict(ERROR at setup)test_ac1_pg_release_then_accept_single_active_job(ERROR at setup)Passing in the same file:
test_ac2_*(do not call_enable_dependency_map, so never touch/admin/config) and all oftest_01_pg_functional.py(includingtest_pg_login).Error
Raised from
_enable_dependency_map->form_csrf = _fetch_csrf(web, WEB_CONFIG) or login_csrf(WEB_CONFIG =/admin/config).Root cause (proven, not hypothesized)
POST /loginreturns a redirect and the assertionassert "session" in web.cookiespasses, so a session cookie IS established.config.jsonwith"host": "127.0.0.1"(e2e-automation.sh), andshould_use_secure_cookies(config)returns False for127.0.0.1/localhost/::1(tests/unit/server/web/test_cookie_security.py). So the session cookie is NON-Secure and is sent over the plain-HTTP127.0.0.1connection. (The "Secure cookie not sent over HTTP" theory is therefore refuted.)GET /admin/configand STILL redirects to/login. Conclusion:/admin/configrequires TOTP step-up elevation (Epic [EPIC] Epic: Admin TOTP Step-Up Elevation #922 / Story [STORY] CLI remote mode: TOTP step-up elevation for admin commands #980), and the_enable_dependency_mapfixture authenticates but never performs the elevation step (/admin/elevate->/auth/elevate-form). An authenticated, unelevated session is bounced._fetch_csrf(line ~277) callspage.raise_for_status(), so a 303 throws instead of returning"". This defeats the... or login_csrffallback the author wrote at the call site — the fallback can never run.Why it surfaced now (NOT a regression)
This is the FIRST full-regression execution to reach Phase 6. On v11.27.0 the e2e run failed at Phase 3 (temporal log-audit gate, 10 WARNINGs) and halted before Phases 4-6. Fixing #1321 unblocked Phase 3, so Phases 4-5-6 ran for the first time and exposed this pre-existing Phase-6 fixture gap. It is unrelated to the v11.28.0 changes (#1321 temporal-query provider resolution, #1322 langfuse test) — neither touches
/admin/config, sessions, CSRF, elevation, or PG coordination.Fix Direction
Make
_enable_dependency_mapperform TOTP step-up elevation before hitting/admin/config(mirror whatever pattern other elevation-requiring e2e/web tests use; if the e2e admin has no MFA configured, provision TOTP in the fixture first via the setup flow). Independently, harden the local_fetch_csrfto notraise_for_status()on 3xx (return""on redirect) so the intendedor login_csrffallback is actually reachable. Reproduce with./e2e-automation.sh --phase 6.Severity
priority-3. Pre-existing e2e test-fixture gap in Phase 6 PG-parity; blocks 2 of ~13 Phase-6 tests. No product impact (the elevation gate is working as designed; the test simply doesn't elevate).